From d7be63f71efccefb8bf8016f3b83b6db3deab4fb Mon Sep 17 00:00:00 2001 From: ogt Date: Wed, 15 Jul 2026 09:37:49 +0800 Subject: [PATCH] fix(security): classify public MCP aggregate readback --- services/http_access_policy_service.py | 1 + tests/test_external_mcp_rag_integration_service.py | 5 +++++ tests/test_security_governance_review_service.py | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/services/http_access_policy_service.py b/services/http_access_policy_service.py index 44ee1f9..38f7678 100644 --- a/services/http_access_policy_service.py +++ b/services/http_access_policy_service.py @@ -42,6 +42,7 @@ INTENTIONALLY_PUBLIC_ENDPOINTS = frozenset({ "misc.brand_assets", "system_public.favicon", "system_public.health_check", + "system_public.public_mcp_federation_readback_api", "system_public.webcrumbs_asset_proxy", "user_bp.get_password_reqs", }) diff --git a/tests/test_external_mcp_rag_integration_service.py b/tests/test_external_mcp_rag_integration_service.py index c7bfb18..235e749 100644 --- a/tests/test_external_mcp_rag_integration_service.py +++ b/tests/test_external_mcp_rag_integration_service.py @@ -146,6 +146,7 @@ def test_public_federation_route_is_anonymous_aggregate_only(monkeypatch): from flask import Flask from routes import system_public_routes as routes from services import external_mcp_rag_integration_service as service + from services.http_access_policy_service import INTENTIONALLY_PUBLIC_ENDPOINTS monkeypatch.setattr(service, "build_public_mcp_federation_receipt", lambda **_: { "success": True, @@ -170,3 +171,7 @@ def test_public_federation_route_is_anonymous_aggregate_only(monkeypatch): "ewoooc", "momo-pro-system", } + assert ( + "system_public.public_mcp_federation_readback_api" + in INTENTIONALLY_PUBLIC_ENDPOINTS + ) diff --git a/tests/test_security_governance_review_service.py b/tests/test_security_governance_review_service.py index 58ea359..1209829 100644 --- a/tests/test_security_governance_review_service.py +++ b/tests/test_security_governance_review_service.py @@ -38,7 +38,7 @@ def test_security_governance_review_is_honest_and_release_gate_passes(): access = checks["PR.AA-route-access-control"]["evidence"] assert access["mutating_unguarded_count"] == 0 assert access["unclassified_unguarded_count"] == 0 - assert access["unguarded_count"] == 7 + assert access["unguarded_count"] == 8 dependencies = checks["ID.RA-dependency-vulnerability-management"]["evidence"] assert dependencies["sbom_files"] == [] supply = checks["GV.SC-gitea-only-supply-chain"]